FTC: Dealer exposed sensitive customer data on P2P computers

July 6, 2012

The Federal Trade Commission in June charged two companies, including a Georgia dealership, with illegally exposing the sensitive personal information of thousands of consumers by allowing peer-to-peer (P2P) file-sharing software to be installed on their corporate computer systems.

The enforcement action against Franklin Toyota Scion alleges that, as a result of the dealership’s failure to implement reasonable security measures to protect its customers’ personal information—names, addresses, Social Security numbers, birthdates and driver’s license numbers—the personal information of 95,000 customers was made available on a P2P network.

As part of its settlement for violating the GLB Safeguards Rule and the Privacy Rule, Franklin Toyota-Scion must establish and maintain a comprehensive information security program, and undergo data security audits by independent auditors every other year for 20 years.

P2P file-sharing software can present significant data security risks, due in part to the fact that once a file has been shared to a P2P network, it can be seen and downloaded by any computer user with access to the network. Such files also generally can’t be permanently removed from the nework.

In addition to Franklin’s data security violations, the FTC alleged that the dealership engaged in a violation of the Unfair or Deceptive Act or Practice by misrepresenting in its privacy notice the measures it would take to protect customer information from unauthorized access.

It is important that dealers:

(a) consider threats that may arise from P2P software when accessing the adequacy of their current customer information safeguards and then adjust heir customer information security program accordingly; and

(b) ensure that the representations in their privacy notices are consistent with their their customer information security practices.

The other business charged by the FTC is a debt collector in Provo, Utah.